Skip to content

Murray Demands Answers from Premera Blue Cross Following Cyberattack that Impacted Millions of Washington State Residents

Cyberattack may have impacted personal information of 6 million current and former Washington state residents 

Murray expresses concern over Premera’s delay in informing those impacted

(Washington, D.C.) – Today, U.S. Senator Patty Murray (D-WA), Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee wrote a letter to Premera Blue Cross demanding answers following a security breach that left the personal information, and potentially the health and financial information, of 11 million people, including 6 million current and former Washington state residents, vulnerable to attackers. In the letter, Murray questioned Premera President Jeff Roe on the company’s failure to immediately inform the 11 million current and former policy holders that their information may have been compromised. She also asked about the company’s plans to help those impacted get the assistance they need and what the company is doing to prevent future cyberattacks of this nature. 

“I write to express my serious concern regarding the cyberattack on Premera Blue Cross and the failure of the company to make this information public and begin notifying current and former policy holders for over six weeks,” Senator Murray wrote in the letter. “These failures are particularly troubling given the scope of the attack…I hope that you will make yourself available to better explain the scope of the attack, update me and my office throughout the process on how and in what manner you are ensuring Washington state families and employers get the assistance they need going forward to protect themselves and what you are doing to prevent future attacks of this nature.”

Last month, along with HELP Committee Chairman Lamar Alexander (R-TN), Murray announced an ongoing, bipartisan HELP Committee oversight initiative to examine the security of health information technology and the health industry’s preparedness for cyber threats.

Full text of the letter:

Dear Mr. Roe:

I write to express my serious concern regarding the cyberattack on Premera Blue Cross and the failure of the company to make this information public and begin notifying current and former policy holders for over six weeks.  These failures are particularly troubling given the scope of the attack.  Not only did attackers access the personal information, such as names, birthdates, and Social Security numbers of millions of my constituents, they also potentially gained access to the personal health information and financial information of 11 million people, including 6 million current and former Washington state residents.  In addition, the confidential financial information of employers in my state, ranging from some of the largest companies with thousands of policy-holders to smaller organizations that are least able to bear the cost of the attack, was accessed. 

It is reported that the breach of Premera’s system was discovered on January 29, 2015, the same day as the breach of Anthem Incorporated’s system, and investigations have now demonstrated that both originated around the same time in May 2014.  As you know, unlike similar recent breaches affecting retail and financial service companies, the Health Insurance Portability and Accountability Act (HIPAA) requires that Premera provide notice without unreasonable delay and no later than 60 days after discovery of the breach.  I recently urged Anthem to accelerate the pace of notifying consumers as they have yet to reach more than 50 million of the nearly 80 million potentially impacted Americans.  And while I understand that both Anthem and Premera have worked closely with the Federal Bureau of Investigation and outside cyber security experts to investigate and address these attacks, I am very concerned by what led to Premera’s delay in making information about the breach public. 

I understand that Premera has now started to notify each of the affected individuals regarding the attack, and to offer two years of credit monitoring to those customers. I am glad that Premera is taking action on behalf of their customers. However, I remain concerned about the potential harm resulting from this enormous breach and what efforts that Premera will make to ensure that any harm is remedied. It is my hope that Premera can move with great speed and efficiency to ensure that my constituents receive prompt notice and information about the services that are being made available to them. 

At the beginning of the 114th Congress, I joined U.S. Senate Health, Education, Labor, and Pensions Committee Chairman Lamar Alexander (R-TN) in a bipartisan oversight initiative to examine the health industry’s preparedness for cyberattacks, including looking at what steps are currently being taken to protect against cyberattacks, what the industry and government should be doing to better protect patients’ personal information, and what barriers exist to making those improvements. I hope Premera will assist us in this effort to mitigate the impact of future cyberattacks on America’s health infrastructure.

While I understand that this attack is creating serious challenges for you, I would like to receive answers to the following questions by Friday, March 27, 2015:

  1. When will Premera complete efforts to notify the 11 million affected current and former policy holders?
  2. Why did Premera not immediately disclose the breach to the Department of Health and Human Services’ Office of Civil Rights as required by HIPAA?
  3. Why did Premera not immediately inform the 11 million current and former policy holders that their personal, financial and health records have potentially been compromised?
  4. What steps will Experian now that it is retained by Premera take to help affected individuals not just monitor but repair credit if necessary?
  5. What steps is Premera taking to assist Washington businesses that offer plans through Premera to address security risks arising from the breach?
  6. What steps is Premera taking to reduce and protect against risks of cyber incursions at companies whose employees are insured through Premera?
  7. What were the findings of outside security consultant Mandiant?
  8. How was the breach discovered?
  9. How were the attackers able to penetrate the entire Premera system?
  10. Were the attacks on Premera and Anthem connected and which company was attacked first?
  11. While Premera officials have stated that data was not moved off the Premera system can you be certain that data that was accessed cannot be used for malicious purposes?
  12. Please explain how Premera uses the National Institute of Standards and Technology health care cyber security framework to implement and evaluate its cyber security.
  13. Why did Premera opt not to be certified by the Health Information Trust Alliance (HITRUST) and in what ways did Premera’s systems fail to meet the requirements for HITRUST certification?
  14. What steps did Premera take to improve cyber security to address issues raised in the 2014 audit by the Office of Personnel Management?
  15. What additional steps will Premera be taking to improve security going forward?

I hope that you will make yourself available to better explain the scope of the attack, update me and my office throughout the process on how and in what manner you are ensuring Washington state families and employers get the assistance they need going forward to protect themselves and what you are doing to prevent future attacks of this nature.

Patty Murray
Ranking Member

Cc: Senator Lamar Alexander, Chairman

###

Previous
Next